b"  Report No. D-2009-054              February 17, 2009\n\n\n\n\n Identification of Classified Information in Unclassified\nDoD Systems During the Audit of Internal Controls and\n  Data Reliability in the Deployable Disbursing System\n\x0c\x0c                                 INSPECTOR GENERAL\n                                DEPARTMENT OF DEFENSE\n                                 400 ARMY NAVY DRIVE\n                            ARLINGTON, VIRGINIA 22202-4704\n\n\n                                                                         February 17,2009\n\n\nMEMORANDUM FOR ASSISTANT DEPUTY COMMANDANT, PROGRAMS AND\n                 RESOURCES DEPARTMENT; AND FISCAL DIRECTOR\n                 OF THE UNITED STATES MARINE CORPS\n               COMMANDER, U.S. CENTRAL COMMAND\n               DIRECTOR, DEFENSE FINANCE AND ACCOUNTING\n                 SERVICE\n\nSUBJECT: Report on the Identification of Classified Information in Unclassified DoD\n         Systems During the Audit ofInternal Controls and Data Reliability in the\n         Deployable Disbursing System (Report No. D-2009-054)\n\n       Weare providing this report for information and use. We considered\nmanagement comments on a draft of this report in preparing the final report. Comments\nprovided by the Assistant Deputy Commandant, Programs and Resources Department;\nand the Fiscal Director of the U.S. Marine Corps confOimed to the requirements of DoD\nDirective 7650.3; therefore, additional comments are not required. See Attachment 2 for\nmanagement comments.\n\n        This is the first in a series of repOlis on our audit ofInternal Controls and Data\nReliability in the Deployable Disbursing System (DDS). The audit objective is to\ndetelmine whether the internal controls over transactions processed through DDS are\nadequate to ensure the reliability of the data processed. The audit series will include\nfinancial infOimation processed by disbursing stations supporting the Global War on\nTerror, as well as the recording of related obligations. We are issuing this report because\nwe have determined that the U.S. Marine Corps (USMC) has processed disbursement\ntransactions that contain classified information into unclassified DoD systems. See\nAttachment I for the audit scope and methodology.\n\nBackground\n       The DDS and the Electronic Document Access/Voucher Processing System\n(EDAlVPS) capture disbursement information and documentation for commercial and\nmiscellaneous payments processed by the USMC disbursing stations supporting the\nGlobal War on Terror. The Defense Finance and Accounting Service (DFAS) developed\nDDS to fulfill the need for a military tactical disbursing system to account for Treasury\nfunds entrusted to disbursing agents on the battlefield and provide timely reporting of\naccounting and pay infOimation. DDS is used for a variety of disbursing office functions,\nincluding travel pay, military pay, accounts payable, disbursing and collection processes,\nand reporting. During FY 2006 and FY 2007, DDS processed in excess of\n9,600 commercial and miscellaneous payments for more than $310 million. DDS feeds\ndisbursement data to EDAlVPS, which provides access to documents used to support the\n\x0c                                                                                             2\n\nprocurement, contract administration, bill paying, and accounting processes. Because\nDDS and EDA/VPS are unclassified systems, these systems should not contain classified\ninformation.\n\n        DoD 5200.1-R, \xe2\x80\x9cDoD Information Security Program,\xe2\x80\x9d January 1997, prescribes\nprocedures for implementing Executive Order 12958, \xe2\x80\x9cClassified National Security\nInformation,\xe2\x80\x9d April 20, 1995, within DoD. DoD 5200.1-R, \xe2\x80\x9cDoD Information Security\nProgram,\xe2\x80\x9d January 1997, establishes the DoD Information Security Program to promote\nproper and effective classification, protection, and downgrading of official information\nrequiring protection in the interest of the national security.\n\n        U.S. Central Command (USCENTCOM) Security Classification Guide 0501,\ndated June 9, 2005, implements the requirements of Executive Order 12958 for\nUSCENTCOM. The USCENTCOM Security Classification Guide 0501 establishes the\nbasic policies for proper classification, downgrading, and declassification of information\nrelated to operations, facilities, communications, data collection, and processing.\nPersonnel involved in USCENTCOM activities use the USCENTCOM Security\nClassification Guide 0501 to determine the levels of security classification assigned to\ninformation, systems, programs, or projects associated with USCENTCOM, including\ninformation processed by disbursing stations supporting the Global War on Terror.\n\nResults\n        The USMC entered classified information into two unclassified DoD systems,\nDDS and EDA/VPS. This occurred because the USMC had not developed a policy to\nensure that finance personnel were adequately aware of classification guidelines\ncontained in the USCENTCOM Security Classification Guide. In addition, the USMC\nhad not taken adequate measures to remove existing classified information from these\nsystems. The unauthorized disclosure of classified information in unclassified systems,\nsuch as DDS and EDA/VPS, could place unsuspecting warfighters or trusted foreign\nofficials in harm\xe2\x80\x99s way and cause damage to national security.\n\n        We identified 2 disbursement vouchers containing supporting documentation\nmarked with a classification and 31 disbursement vouchers containing unmarked\nsensitive information. We provided 32 of the 33 disbursement vouchers to the DFAS\nCorporate Security Office to secure them and to make a classification determination.\nThey confirmed that one of the two marked disbursement vouchers the USMC\nincorporated into EDA/VPS contained marked classified information. The USMC\nremoved the second of the two marked disbursement vouchers from EDA/VPS. The\nDFAS Corporate Security Office also confirmed that the USMC should classify the\n31 documents containing unmarked sensitive information that came from EDA/VPS;\ntherefore, the vouchers should be removed from the system. DFAS ultimately shut the\nsystem down to remove the remaining identified classified information on\nNovember 6, 2008.\n\x0c                                                                                            3\n\n       DDS data from four disbursement vouchers contained classified information in\nthe \xe2\x80\x9cPayee's Name and Address\xe2\x80\x9d and in the \xe2\x80\x9cPayee\xe2\x80\x9d fields. The USMC personnel\nentered this information into DDS.\n\n       On October 15, 2008, we informed USMC Disbursing, Operations and Systems\nSection personnel that disbursement vouchers containing unmarked classified\ninformation existed in EDA/VPS. They informed us that the USMC had been alerted in\nJune 2008 to the issue of marked, classified information being included in EDA/VPS.\n\n        As a result, the USMC had taken steps to remove the classified information\nposted in EDA/VPS by reviewing the vouchers marked with a classification. However,\nthey had not reviewed EDA/VPS for sensitive information that did not contain any\nclassification markings.\n\n        On October 20, 2008, we provided the USMC Disbursing, Operations and\nSystems Section information regarding vouchers in EDA/VPS that contained sensitive\ninformation requiring classification and removal from EDA/VPS. As of\nDecember 3, 2008, DFAS had reviewed EDA/VPS and removed 31 of the 32 vouchers\nwe provided to DFAS, Corporate Security Office. However, to prevent the USMC from\nentering additional classified information into DDS or scanned into EDA/VPS, it should\ndevelop a policy to ensure that finance personnel can identify classified information and\nremove it before entering it into unclassified systems. Because of the potential exposure\nof classified information, the USMC should take immediate action to implement the\nfollowing recommendations.\n\nManagement Actions\n        As a result of this audit, DFAS and USMC have taken corrective actions to\nidentify and remove classified information from EDA/VPS and DDS. In addition, the\nUSMC has issued policy on identifying and processing classified transactions and\nsupporting documentation. On December 17, 2008, DFAS completed a review of all\nUSMC disbursement vouchers within EDA/VPS and removed 4 marked with a\nclassification and 178 unmarked classified vouchers. On December 17, 2008, the USMC\ncompleted a preliminary inquiry to determine whether classified information was\ncompromised because of the lack of classification labels on vouchers. On\nJanuary 7, 2009, the USMC issued a policy memorandum for identifying and processing\nclassified information.\n\nRecommendations, Management Comments, and Audit Response\n      We recommend that the Assistant Deputy Commandant, Programs and Resources\nDepartment; and the Fiscal Director of the U.S. Marine Corps:\n\n1. Develop policy for finance personnel on identifying and processing classified\n   transactions and supporting documentation.\n\x0c\x0c                           Scope and Methodology\nWe conducted this performance audit in accordance with generally accepted government\nauditing standards. Those standards require that we plan and perform the audit to obtain\nsufficient, appropriate evidence to provide a reasonable basis for our findings and\nconclusions based on our audit objectives. We believe that the evidence obtained\nprovides a reasonable basis for our findings and conclusions, based on our audit\nobjectives.\n\nThis is the first in a series of reports on our audit of Internal Controls and Data Reliability\nin the DDS. During FY 2006 and FY 2007, DDS processed in excess of\n9,600 commercial and miscellaneous payments for more than $310 million. We\nevaluated the FY 2006 and FY 2007 commercial and miscellaneous payment voucher\ndata and the archived data that the USMC entered into DDS, the interface of this data into\nEDA/VPS, and the supporting documentation that the USMC scanned and posted into\nEDA/VPS. We applied the classification guidelines contained in USCENTCOM\nSecurity Classification Guide 0501 and reviewed a judgmental sample of DDS data and\nEDA/VPS documentation to determine whether these systems contained classified\ninformation. As a result, we determined that the USMC had processed disbursement\ntransactions that contain classified information. We also discussed the USMC security\npolicies and DDS processing with USMC financial personnel.\n\nReview of Internal Controls\nWe did not review the USMC management control program as part of this review. We\nwill address the USMC management control program in a report on Internal Controls and\nData Reliability in the DDS (Project No. D2007-D000FL-0252.001).\n\nUse of Computer-Processed Data\nWe relied upon computer-processed data obtained from DDS to perform this audit. We\nperformed a reliability assessment of computer-processed data out of DDS, which we\nwill address in the audit, \xe2\x80\x9cInternal Controls and Data Reliability in the DDS\xe2\x80\x9d\n(Project No. D2007-D000FL-0252.001). The reliability of the data from DDS did not\naffect the results of the audit. We also relied upon data from EDA/VPS system. We did\nnot assess the reliability of the system because we limited our use of the data to view\nvouchers for sensitive information. However, not assessing the reliability of EDA/VPS,\ndid not affect the results of the audit.\n\nUse of Technical Assistance\nWe consulted with DFAS and DoD OIG security officials.\n\nPrior Audit Coverage\nDuring the past five years there have been no reports issued regarding classified\ninformation processed by DDS.\n\n\n                                                                                Attachment 1\n\x0cUnited States Marine Corps Comments\n\n\n\n\n                  Click to add JPEG file\n\n\n\n\n                                           Attachment 2\n\x0c                                2\n\n\n\n\nClick to add JPEG file\n\n\n\n\n                         Attachment 2\n\x0c                                3\n\n\n\n\nClick to add JPEG file\n\n\n\n\n                         Attachment 2\n\x0c                                4\n\n\n\n\nClick to add JPEG file\n\n\n\n\n                         Attachment 2\n\x0c                                5\n\n\n\n\nClick to add JPEG file\n\n\n\n\n                         Attachment 2\n\x0c\x0c\x0c"